- \n
- \nVictim:<\/strong> KuCoin cryptoexchange<\/li>\n
- \nWhen:<\/strong> September 26, 2020<\/li>\n
- \nLoss:<\/strong> around $285 million<\/li>\n<\/ul>\n
\nOn the night of September 25\/26, 2020, security officers at the Singapore-based company KuCoin detected<\/a> a series of abnormal transactions from several hot wallets. To halt the suspicious transactions they transferred all remaining assets from the compromised hot wallets to cold storage<\/a>. The whole incident lasted about two hours from detection to completion. During this time, the attackers managed to withdraw approximately $285 million<\/a> in several cryptocurrencies.<\/p>\n
The investigation revealed that the cybercriminals had accessed the private keys of the hot wallets. One of the primary suspects is Lazarus Group, a North Korean APT<\/a> cybergang. This is because the attackers employed a multi-stage algorithm to launder the loot, similar to the schemes used in previous hacks by Lazarus group. First, they ran equal amounts of crypto through a tumbler<\/a> (a tool for mixing cryptocurrency funds with others to obscure the trail), then transferred the cryptocurrency through decentralized platforms<\/a>.<\/p>\n
Despite the scale, this heist was not the end of the cryptoexchange. The day after the theft, KuCoin CEO Johnny Lyu promised during a livestream to reimburse the stolen funds. Lyu kept his word, and by November 2020 he\u2019d tweeted that 84% of the affected assets had been returned to their owners<\/a>. The remaining 16% were covered<\/a> by KuCoin\u2019s insurance fund.\n<\/p>\n
4. Money out of thin air<\/h2>\n
- \n
- \nVictim:<\/strong> Wormhole cross-chain bridge<\/li>\n
- \nWhen:<\/strong> February 2, 2022<\/li>\n
- \nLoss:<\/strong> $334 million<\/li>\n<\/ul>\n
\nNext in our Top-5 is a heist that used a vulnerability in Wormhole, the cross-chain bridging protocol<\/a>. The cybercriminals were aided by the fact that the platform\u2019s developers had made their program code public. But first things first\u2026<\/p>\n
Wormhole is a tool that mediates cryptocurrency transactions. Specifically, it allows users to move tokens between the Ethereum and Solana networks. Technically, the exchange works like this: tokens are frozen in one chain, while so-called \u201cwrapped tokens\u201d of the same value are issued in the other.<\/p>\n
Wormhole is an open-source project with its own repository on GitHub. Shortly before the heist, the developers placed code there to fix a vulnerability in the protocol. But the attackers managed to exploit the vulnerability<\/a> before the changes took effect.<\/p>\n
The bug allowed them to bypass the transaction verification<\/a> on the Solana side and issue 120,000 \u201cwrapped ETH\u201d (worth around $334 million at the time of the attack) without freezing the equivalent collateral in the Ethereum blockchain. The cybercriminals transferred two-thirds of the total amount to an Ethereum wallet, and used the rest to buy other tokens.<\/p>\n
Wormhole publicly appealed to the attackers to return the stolen funds and detail the exploit for a $10 million<\/a> reward. The cybercriminals ignored the generous offer.<\/p>\n
The day after the heist, Wormhole tweeted<\/a> that all funds had been restored and the bridge was operating as before. The financial hole was closed<\/a> by Jump Trading \u2014 the company that had bought Wormhole\u2019s developer six months before the incident. Judging by open-source information, the thieves remain unknown.\n<\/p>\n
3. Three-year heist<\/h2>\n
- \n
- \nVictim:<\/strong> Mt.Gox cryptoexchange<\/li>\n
- \nWhen:<\/strong> February 2014<\/li>\n
- \nLoss:<\/strong> $480 million<\/li>\n<\/ul>\n
\nThe history of Mt.Gox begins<\/a> way back in 2007, when it was a platform for exchanging cards from the Magic: The Gathering<\/a> game. Three years later, amid the growing popularity of cryptocurrencies, the site owner, US programmer Jed McCaleb, decided to turn it into a cryptoexchange, but then sold the service to French developer Mark Karpel\u00e8s in 2011. Just two years later, Mt.Gox was trading<\/a> around 70% of the world\u2019s bitcoin.<\/p>\n
The rapid rise was followed by a crippling crash. On February 7, 2014, the exchange suddenly blocked all bitcoin withdrawals. The company blamed<\/a> the move on technical issues. Outraged customers gathered outside the headquarters of Mt.Gox in Tokyo, demanding their money back. Their protest fell on deaf ears.<\/p>\n
The remarkable thing about this story is that the Mt.Gox heist began in 2011. Back then, unknown hackers got hold <\/a>of the private keys to a hot wallet on the exchange and began to gradually siphon off bitcoin from it. By 2013, the cybercriminals had deposited 630,000 BTC into their accounts.<\/p>\n
Mt.Gox finally ended trading on February 28, 2014, when Karpel\u00e8s declared<\/a> it bankrupt and apologized for the \u201cweaknesses in the system\u201d that had wiped out roughly 750,000 BTC of customers\u2019 funds and 100,000 BTC of its own. The amount of stolen funds is usually given at around $480 million \u2014 this is the value of the total number of stolen tokens at the exchange rate on the day before the exchange filed for bankruptcy \u2014 February 27.<\/p>\n
Note, though, that in the time after Mt.Gox ceased trading and before it declared bankruptcy, the bitcoin price fell heavily. If calculated at the exchange rate on February 6 (the day before the exchange actually shut down), the loss would be around $660 million. However, both of these figures are tentative: they don\u2019t factor in the three-year duration of the heist during which time the exchange rate fluctuated wildly. So it\u2019s hard to pinpoint the exact amount of damage.<\/p>\n
![\"Bitcoin](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/10\/25210433\/top-5-cryptocurrency-heists-mtgox.jpg\")
<\/a>Bitcoin exchange rate in February 2014. Source<\/a><\/p><\/div>\n
How was the attack even possible? According to former employees<\/a>, the company\u2019s management was rather negligent when it came to many important issues. For example, Mt.Gox had serious problems with financial reporting. Moreover, a proper quality-and-security audit of the code was never undertaken: there was no version control system, for instance.<\/p>\n
Prosecutors charged<\/a> Mt.Gox owner, Karpel\u00e8s, with embezzlement of around $3 million worth of clients\u2019 funds. But they failed to prove this in court. In the end, Karpel\u00e8s only received a suspended sentence of two years and six months for data manipulation and was acquitted on other charges.\n<\/p>\n
2. Almost half a billion<\/h2>\n
- \n
- \nVictim:<\/strong> Coincheck cryptocurrency exchange<\/li>\n
- \nWhen:<\/strong> January 26, 2018<\/li>\n
- \nLoss:<\/strong> $496 million<\/li>\n<\/ul>\n
\nCoincheck is one of Japan\u2019s largest cryptoexchanges. In 2018, cybercriminals managed to steal<\/a> from it more than 500 million NEM tokens worth roughly the same amount in dollars.<\/p>\n
The company claimed that their security system was robust, and didn\u2019t report how exactly the intruders carried out the attack. That said, some experts believe that the cybercriminals may have gained access to the private keys of the Coincheck hot wallets with the aid of malware embedded on a computer in the company\u2019s office.<\/p>\n
The attackers also created their own site selling<\/a> NEM tokens for bitcoin and other cryptocurrencies at a 15% discount. As a result, the NEM exchange rate fell sharply, and Coincheck lost around $500 million, which, however, did not force the exchange to close. What\u2019s more, the criminals couldn\u2019t be traced. The exchange had to suspend operations for a while and promised to compensate<\/a> clients with its own funds.<\/p>\n
![\"NEM](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/10\/25210441\/top-5-cryptocurrency-heists-coincheck.jpg\")
<\/a>NEM exchange rate after the Coincheck incident. Source<\/a><\/p><\/div>\n
1. Job offer with a surprise<\/h2>\n
- \n
- \nVictim:<\/strong> Ronin Network blockchain platform<\/li>\n
- \nWhen:<\/strong> March 23, 2022<\/li>\n
- \nLoss:<\/strong> $540 million<\/li>\n<\/ul>\n
\nRonin Network was specifically created by Sky Mavis for the play-to-earn game Axie Infinity<\/a>, allowing players to buy the in-game currency Smooth Love Potion (SLP)<\/a>. In late March 2022, unknown attackers stole<\/a> from Ronin a record $540 million worth of cryptocurrency. They were aided by spyware and the magic of social engineering.<\/p>\n
The targeted attack<\/a> was aimed at Sky Mavis employees, one of whom took the bait (most likely on LinkedIn). Having passed a \u201cselection process\u201d, one of senior engineers received a \u201cjob offer\u201d in the form of a PDF file with spyware inside. This enabled the thieves to take control of four of the network\u2019s private validator<\/a> keys.<\/p>\n
To gain access to the company\u2019s assets, they needed to compromise at least five of the nine validators. As just mentioned, the spyware helped them get hold of four keys. The fifth they got hold of due to an oversight by the company itself, which had authorized Axie DAO (decentralized autonomous organization<\/a>) to sign off on transactions to help Ronin Network mitigate user volume, and then forgot to revoke the permission.<\/p>\n
Sky Mavis, however, quickly recovered from the incident. In June 2022, it relaunched<\/a> the blockchain platform and began compensating affected players.<\/p>\n
![\"NFT](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2022\/10\/25210448\/top-5-cryptocurrency-heists-axie.jpg\")
<\/a>NFT character from blockchain-based game Axie Infinity. Replica<\/a><\/p><\/div>\n
Bonus. A hack with a refund<\/h2>\n
- \n
- \nTarget:<\/strong> Poly Network cross-chain protocol<\/li>\n
- \nWhen:<\/strong> August 10, 2021<\/li>\n
- \nLoss (later recovered):<\/strong> $610 million<\/li>\n<\/ul>\n
\nAs a bonus story, let\u2019s finish with another huge crypto heist \u2014 which ended with the return of every cent of the loot. Here\u2019s what happened\u2026<\/p>\n
Poly Network<\/a> is yet another protocol for implementing blockchain interoperability. In summer 2021, it witnessed one of the biggest heists in cryptocurrency history. An unknown hacker, exploiting a vulnerability in Poly Network, stole more than $600 million in various cryptocurrencies<\/a>.<\/p>\n
Poly Network appealed<\/a> to the perpetrator on Twitter to return the stolen tokens. To everyone\u2019s amazement, the hacker made contact<\/a> and agreed. They proceeded to transfer the stolen tokens bit by bit, dividing them into several unequal parts.<\/p>\n
The online exchange between the hacker and Poly Network went on for quite some time. During it, the attacker stated he wasn\u2019t interested in money and had only carried out the heist for \u201cideological reasons\u201d. As a mark of gratitude, Poly Network dropped its claims against him, guaranteed his anonymity, offered<\/a> a reward of $500,000 and even invited him to become its chief security consultant. It also launched a bug-bounty program<\/a> worth $500,000.\n<\/p>\n
No real moral to the story, but\u2026<\/h2>\n
\nWe\u2019ve listed here only the Top-5 crypto heists, all of which targeted major organizations. But of course many minor incidents affect ordinary users all the time. Therefore, every investor needs to take steps to secure their assets. Here are some helpful tips:\n<\/p>\n
- \n
- Choose platforms for trading and other operations carefully: read feedback and reviews, and, if possible, consult with experienced users you trust.<\/li>\n
- Don\u2019t give anyone the login details for your account on the exchange or your wallet credentials. Remember to keep not only your passwords and private keys secret, but also your seed phrase<\/a>.<\/li>\n
- Store your main cryptocurrency savings in cold wallets: unlike hot ones, they don\u2019t need to be permanently online and so are more secure in general.<\/li>\n
- If you do use a hot wallet, be sure to enable two-factor authentication.<\/li>\n
- Beware of phishing. To learn how to spot cryptocurrency hunters, see this post<\/a>.<\/li>\n
- Use a reliable solution<\/a> that protects financial transactions, prevents malware from stealing your wallet password or private key, and warns you about scam sites.<\/li>\n<\/ul>\n\n","protected":false},"excerpt":{"rendered":"
Hundreds of millions of dollars stolen: the five biggest heists in cryptocurrency history.<\/p>\n","protected":false},"author":2684,"featured_media":20274,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[374,1308,1505,82,97],"class_list":{"0":"post-20272","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-bitcoin","9":"tag-blockchain","10":"tag-cryptocurrencies","11":"tag-hacking","12":"tag-security-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/top-5-cryptocurrency-heists\/20272\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/top-5-cryptocurrency-heists\/24794\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/top-5-cryptocurrency-heists\/10194\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/top-5-cryptocurrency-heists\/27318\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/top-5-cryptocurrency-heists\/25131\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/top-5-cryptocurrency-heists\/25480\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/top-5-cryptocurrency-heists\/28040\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/top-5-cryptocurrency-heists\/27343\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/top-5-cryptocurrency-heists\/34151\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/top-5-cryptocurrency-heists\/45945\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/top-5-cryptocurrency-heists\/19684\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/top-5-cryptocurrency-heists\/20284\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/top-5-cryptocurrency-heists\/29447\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/top-5-cryptocurrency-heists\/32811\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/top-5-cryptocurrency-heists\/28611\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/top-5-cryptocurrency-heists\/25540\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/top-5-cryptocurrency-heists\/31179\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/top-5-cryptocurrency-heists\/30886\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/cryptocurrencies\/","name":"cryptocurrencies"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2684"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20272"}],"version-history":[{"count":7,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20272\/revisions"}],"predecessor-version":[{"id":21061,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20272\/revisions\/21061"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20274"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- \nWhen:<\/strong> August 10, 2021<\/li>\n
- \nWhen:<\/strong> March 23, 2022<\/li>\n
- \nWhen:<\/strong> January 26, 2018<\/li>\n
- \nWhen:<\/strong> February 2014<\/li>\n
- \nWhen:<\/strong> February 2, 2022<\/li>\n
- \nWhen:<\/strong> September 26, 2020<\/li>\n